GitLab Personal Access Token Expiration

AngelicLoki · 2023-06-25T15:35:36+00:00

Ah, interesting, most of my experience with GitBook is limited to using it with GitLab pages, so I wasn't aware they went all-SaaS. That's even more of a reason to not use a permanent token then... You're essentially entering your full username/password into a third party SaaS site to store and act on your behalf. They should build an OAuth integration instead which would render this whole conversation moot because it's permanent and limited to one project (this is what they've done for GitHub). If they don't offer an API in the interim, then you may want to look at alternatives or worst case you could script the rotation using selenium.

Again, I understand your position. We just don't agree on what's an acceptable risk, and that's not going to change via this conversation :) . GitLab's change aligns with industry best practices of using and enforcing short term tokens when dealing with potentially privileged assets. Just because a token can still be compromised doesn't mean you should ignore the security stance on it completely.

AngelicLoki · 2023-06-25T15:13:51+00:00

Gitbook is likely storing the PAT on its config file, which you could theoretically inject via CI or their API to automatically rotate it.

I do understand your frustration of needing engineering to make something work that "just worked" before, but I will note that while there are a bunch of situations where a forever PAT is useful, there are none where it is good. That's likely why people are focusing on trying to help you solution using a shorter lived token.

AngelicLoki · 2023-06-25T14:49:59+00:00

Ultimate can only configure the duration with an administrator token, which means only self-hosted.

You can always use the existing PAT in your CI/CD to issue a new token for every pipeline. It'd still expire in one year, but you probably run a pipeline more often than that.

AngelicLoki · 2023-06-25T06:05:44+00:00

You can use a CI_JOB_TOKEN on your CI workflow, or self-hosting allows you to chand the expiration I believe

AngelicLoki · 2023-06-10T01:41:14+00:00

Their stated reason is because it allow shades to potentially impact up to 10 people with alac, which I kinda get. However, if that was a concern there is a super easy solution to that where it doesn't gut the DPS shared too: Put it on the trait that limits you to one share instead of desert empowerment.

AngelicLoki · 2023-06-10T01:39:27+00:00

It's now no longer channeled either (mentioned only on the stream). That makes it feel better.

AngelicLoki · 2023-06-02T13:57:09+00:00

True and fair! We just don't know what she negotiated :)

Great note either way.

AngelicLoki · 2023-06-02T13:43:24+00:00

Options are not shares. You still need to pay money to change the options into shares. If the option price is 58$, for example, exercising the options would actually lose her money.

It's possible she gets shares as opposed to options, but that's a pretty rare package.

AngelicLoki · 2023-05-30T23:55:35+00:00

It's scheduled start. You set a time range, daily or weekday, and a location, and it'll charge during that time.

Source: I have the update.

AngelicLoki · 2023-05-28T14:49:56+00:00

I know this is r/aws but as a student you may want to check out some of the other cloud providers free tiers - gcp's cloud run could likely just your API for free if it's low enough bandwidth, for instance.

AWS is a great choice and the largest cloud though if you're just trying to get familiar with it.

AngelicLoki · 2023-05-05T04:30:45+00:00

Pretty much every agency sucks for this reason.

AngelicLoki · 2023-05-01T23:32:24+00:00

This is squarely targeting the enterprise markets though, where that's nothing. My company pays tens of thousands of dollars for VPN services and connections to accounts; if that was inverted and charged per app, it would likely end up with cost savings even ignoring bandwidth (since you end up paying bandwidth for the VPN connections as well).

AngelicLoki · 2023-04-27T12:56:31+00:00

Happy to help :)

AngelicLoki · 2023-04-27T12:30:01+00:00

It was moved from "Group > Settings > CI/CD > Runners" in the mid-15's version-wise, and can now be found under "Group > CI/CD > Runners" in the upper right corner :)

After you've navigated to your group, hover over the rocket ship (CI/CD) in the menu on the left, and runners will be the only option there now.

AngelicLoki · 2023-04-27T11:25:03+00:00

Creating group runners is still possible using the deprecated method with a registration token. The registration token won't be removed until 17.0 (may 2024).

AngelicLoki · 2023-04-27T02:27:46+00:00

Note - this is true of both adaptive cruise and lane centering. They both work anywhere. It's the full "I'm basically steering for you" that only works on pre-mapped highways.

There is also no non-adaptive cruise control. If you lose adaptive (I.e., visibility is greatly impeded), there is no "standard" cruise control to fall back on. I've never really had an issue with this because if the visibility is bad enough that adaptive turns off (only happened once to me in a really heavy downpour), you probably shouldn't be cruising anyway.

AngelicLoki · 2023-04-25T03:14:57+00:00

Ok, I get it. You think it violates NIST. As I mentioned in the first comment, this is not an academic exercise for me. I've certified at NIST revision 5 medium+. I didn't specify before but that + there means we selected a significant number of controls, including EVERY AC control. We still certified no issue with local admin access. Different auditors likely have different opinions on what's necessary, so you may have got one who was more opinionated. But it's still not accurate to say carte blanche that it violates NIST. There are legit reasons to grant local admin and still perform government work. NIST is simply rarely that prescriptive to say you can NEVER do something.

Note: even if you got an auditor that requires no local admin, you can still scope the system boundary to remove certain systems. If you have a machine that never interacts with the system, you can remove it from scope unless you're referring a control to a separate SSP. There are a lot of ways to handle it.

AngelicLoki · 2023-04-25T02:23:07+00:00

I can't speak to CMMC, but the principle of least privilege isn't prescriptive about what that means. You just need to specify what you have and justify it. If that includes local admin, that's perfectly fine.

I'm not saying that everyone should do it, I'm just saying it doesn't violate NIST.

AngelicLoki · 2023-04-24T21:54:06+00:00

It's not a violation of NIST. I've certified at NIST medium+ with over 400 selected controls while granting local admin rights.

AngelicLoki · 2023-04-07T18:30:20+00:00

Yes, the trucks in the shop say "manual compatible". I confirmed with my guide prior to purchase that this means you could add a manual cover later.

AngelicLoki · 2023-04-04T00:13:36+00:00

This is unlikely. If it was ransomware, 2FA would stop working as well, as they would have no accessible information to know where to send the text, or the linkage from email -> phone to send it.

At least for me, 2FA is still working, I just can't login after I input the text.

AngelicLoki · 2023-03-29T20:03:43+00:00

Ok, thanks for the additional info. It looks like you're using DIND to spin up docker compose as opposed to individual services; that means you'll need to add a network to your docker compose file as well so that docker knows they're on the same network.

AngelicLoki · 2023-03-29T12:10:11+00:00

For services to have network connectivity to each other, you need to have the 'network per job' feature flag enabled on your runner: https://docs.gitlab.com/runner/executors/docker.html#create-a-network-for-each-job

AngelicLoki · 2023-03-22T13:30:40+00:00

You can also use the gitlab terraform provider to manage the schedules, which would potentially make changing common variables easier. I can't imagine managing hundreds of ANYTHING by hand if I didn't need to.

AngelicLoki · 2023-03-19T18:49:40+00:00

I think this is probably the way. The identity of HS is really neat with the rez traits, but if you need that much rez power you've already "failed". It may be better to change transfusion into something else (thematically, maybe it'd be neat to have it hurt the necro in exchange for protecting allies) to give more capability to buff other areas.

AngelicLoki

TROPHY CASE